I am not comfortable with this documentation:
- "always the same" -- only as long as the config variables for salt and private key don't change.
- 43 characters -- that is very specific. How do you know it is always 43 characters, and is it really necessary to say that even if it is always 43 characters?

It's useful to understand that the purpose of this function is to give you something that's reproducible, because that's how the whole token system works: you make a token to give to the user, and then when the user performs an action, you *re-create* the token and compare it with what the user gave you. That's an important idea to grasp, and I'd be wary of watering it down by trying to be ultra-precise.

Of course they are not *likely* to change, but as they're just config variables, I don't think I would word documentation to say that they *cannot* change. I think I would word it to say that as long as these configuration options aren't changed, it's unchanging, because that is always the case.

drupal_get_token() calls drupal_hmac_base64() to calculate the hash. By definition the length of a sha-256 hash has a fixed length of 256 bits (32 bytes). Base64 encoding gives a length of 44 bytes including one padding character ("=") which will get removed by the function drupal_hmac_base64().

Therefore the the length of the return value of drupal_get_token() is always 43.

Thanks... but my comments in #6 were not addressed. Also, this patch is not formatted correctly. It needs to be all one paragraph with complete sentences, with each line wrapping as close to 80 characters as possible without going over. I am also not sure that we need to document why the length is 43 characters. What we need to document is how/when the return value is the same or different.

"A url safe token (fixed string of 43 characters), which will always be the same for a given $value on the same site, as long as the session_id remains unchanged and $drupal_hash_salt is not modified in settings.php"